apt: add apt selftest to test signed package feeds

Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default. Currently when building images this requirement is worked around by using [allow-insecure=yes] and equivalently when performing selftest. Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds" enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package management. To be able to install the key the gnupg package is added to the testimage. (From OE-Core rev: 10fd76e6dfd97b57a9e2f592677c7e47b622e6b5) Signed-off-by: Ferry Toth <ftoth@exalondelft.nl> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3ec30490d09d6639eea2638cf12a323948f221cc) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ferry Toth <ftoth@exalondelft.nl> 2022-04-13 22:37:41 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-04-28 17:07:18 +0100
commit: 15d0cc7db5c30f4a277006b6d7ad200cc352a775 (patch)
tree: ee1386e28f24bad5808adb64db912429d9ba224c /meta/lib/oeqa/runtime/cases
parent: 3bc9b46bd9efe112137026d6cad294d6469dec54 (diff)
download: poky-15d0cc7db5c30f4a277006b6d7ad200cc352a775.tar.gz
1 files changed, 31 insertions, 7 deletions
diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
index 53745df93f..574a34f148 100644
--- a/meta/lib/oeqa/runtime/cases/apt.py
+++ b/meta/lib/oeqa/runtime/cases/apt.py
@@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
    @classmethod
    def setUpClass(cls):
-        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
+        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
        cls.repo_server = HTTPService(service_repo,
                                      '0.0.0.0', port=cls.tc.target.server_port,
                                      logger=cls.tc.logger)
@@ -34,20 +34,44 @@ class AptRepoTest(AptTest):
    def setup_source_config_for_package_install(self):
        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
        apt_get_sourceslist_dir = '/etc/apt/'
-        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
+        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s/all ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
+    def setup_source_config_for_package_install_signed(self):
+        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
+        apt_get_sourceslist_dir = '/etc/apt/'
+        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
    def cleanup_source_config_for_package_install(self):
        apt_get_sourceslist_dir = '/etc/apt/'
        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
+    def cleanup_source_config_for_package_install_signed(self):
+        apt_get_sourceslist_dir = '/etc/apt/'
+        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
+    def setup_key(self):
+        # the key is found on the target /etc/pki/packagefeed-gpg/
+        # named PACKAGEFEED-GPG-KEY-poky-branch
+        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
    @skipIfNotFeature('package-management',
                      'Test requires package-management to be in IMAGE_FEATURES')
    @skipIfNotDataVar('IMAGE_PKGTYPE', 'deb',
                      'DEB is not the primary package manager')
    @OEHasPackage(['apt'])
    def test_apt_install_from_repo(self):
-        self.setup_source_config_for_package_install()
+        if not self.tc.td.get('PACKAGE_FEED_GPG_NAME'):
-        self.pkg('update')
+            self.setup_source_config_for_package_install()
-        self.pkg('remove --yes run-postinsts-dev')
+            self.pkg('update')
-        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
+            self.pkg('remove --yes run-postinsts-dev')
-        self.cleanup_source_config_for_package_install()
+            self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
+            self.cleanup_source_config_for_package_install()
+        else:
+            # when we are here a key has been set to sign the package feed and
+            # public key and gnupg installed on the image by test_testimage_apt
+            self.setup_source_config_for_package_install_signed()
+            self.setup_key()
+            self.pkg('update')
+            self.pkg('install --yes run-postinsts-dev')
+            self.pkg('remove --yes run-postinsts-dev')
+            self.cleanup_source_config_for_package_install_signed()
author	Ferry Toth <ftoth@exalondelft.nl>	2022-04-13 22:37:41 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-04-28 17:07:18 +0100
commit	15d0cc7db5c30f4a277006b6d7ad200cc352a775 (patch)
tree	ee1386e28f24bad5808adb64db912429d9ba224c /meta/lib/oeqa/runtime/cases
parent	3bc9b46bd9efe112137026d6cad294d6469dec54 (diff)
download	poky-15d0cc7db5c30f4a277006b6d7ad200cc352a775.tar.gz